Fighting ransomware with network segmentation as a path to resiliency

fighting ransomware network segmentationRecent cybersecurity events involving the use of ransomware (WannaCry and similar variants) represent the latest examples highlighting the need for organizations to not only take an initial hit, but survive, adapt, and endure. In other words, be resilient.

All too often, our community is a witness to any number of similar events where an initial breach leads to catastrophic effects across the enterprise. We need to do better; the methodologies and tools to do so are readily available.

Organization can achieve network resiliency and survivability through a strategy embracing network segmentation in general, and micro-segmentation in particular. In a world where it is simply unrealistic to expect CIOs, CTOs and organization security teams to know about and cover everything on their networks, they must strive to protect what they do know about and control access across organizations which are increasingly amorphous, porous and dynamic.

Ask any infosec professional what steps to take to secure a network, and you’ll hear some common themes. Know the hardware and software deployed on your network and how it should communicate so you can detect if two devices shouldn’t be talking. Enable application whitelisting, encrypt data in transit and at rest, and enforce network segmentation.

Security professionals know that most networks are like a piece of candy – they have a hard crunchy outside and a soft gooey inside. Network segmentation removes the gooey inside, simultaneously reducing mean time to detection and mean time to remediation – the two most important metrics for security incidents. These steps make it very hard for any adversary to gain, maintain and further develop access and move freely across a network. In fact, this will significantly reduce attacker ROI, often making them look elsewhere for an easier target.

The challenge to many, if not most, organizations is a lack of network inventory and true visibility. Patching failure is often cited as the cause of network breaches, but you can’t patch what you don’t know about. In many cases, organizations must deal with devices that are leased and not under their full control. In other cases, devices cannot be brought down for patching due to operational requirements. In still other examples, the gear and infrastructure is “mixed” and “common” (the cloud and other shared resources). Lastly, some infrastructure is simply too delicate to handle any patching.

What then is the answer? As CIOs and CTOs are driving the rapid adoption of new technologies (many of which lack basic security hardening), security teams are struggling to deal with increased attack surfaces and rapidly changing network boundaries. This relationship sets up a dynamic tension that is not sustainable.

Segmentation is the solution to this problem with a particular focus on the emerging world of micro-segmentation. In this model, security profiles are adopted closer to the endpoint, thus replacing the traditional concept of a hardened single perimeter, and providing a dynamic and scalable perimeter wrapped around every workload.

Deployed correctly – particularly when combined with software defined networking and encryption – microsegmentation allows for the presentation of true “zero trust models” across the enterprise. This protects critical workload and business processes while reducing reliance on overly complex hardware-based infrastructure and rulesets (which bring their own vulnerabilities to the mix).

Adversaries usually don’t know where they land on the targeted system or network, or what’s around them. This is just as true for nation state attackers and insider threats as it is for unskilled attackers. By limiting their ability to move laterally throughout a network, they are quickly detected and contained, limiting the damage caused by any intrusion.

The key is to limit the extent by which the attacker retains any advantage inside the network, regain control and initiative, and reduce the impact of any attack across the enterprise. It’s a fact of life today that organizations will eventually be hit with a cyberattack. But with the appropriate segmentation, they will survive if they are prepared and resilient.